Firewall Public IP

Hi, Is my firewall good enough to protect me and my router from outside? I got public IP

# model = RBD52G-5HacD2HnD
# serial number = B4A00A643903
/interface bridge
add admin-mac=24:4D:28:E2:13:14 arp=reply-only auto-mac=no comment=defconf \
    dhcp-snooping=yes name=bridge
add admin-mac=4A:dA:58:88:2B:61 arp=reply-only auto-mac=no dhcp-snooping=yes \
    name=bridge2
add admin-mac=F1:44:66:45:AD:DC arp=reply-only auto-mac=no dhcp-snooping=yes \
    name=bridge3
/interface wireless
set [ find default-name=wlan1 ] arp=reply-only band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=poland default-forwarding=no disabled=no distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    "Vectra 2.4" wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
    eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik \
    wpa2-pre-shared-key=x
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=WIFI2 supplicant-identity="" wpa2-pre-shared-key=\
    "x
/interface wireless
set [ find default-name=wlan2 ] arp=reply-only band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=poland default-forwarding=no \
    disabled=no distance=indoors installation=indoor mode=ap-bridge \
    security-profile=WIFI2 ssid="Vectra 5 Ghz" wireless-protocol=802.11 \
    wps-mode=disabled
/ip ipsec mode-config
add connection-mark=no-mark name=Vpn responder=no src-address-list=local
/ip ipsec policy group
add name=KeepSolid
/ip ipsec profile
add dh-group=modp3072 enc-algorithm=aes-256 hash-algorithm=sha512 name=Vpn
/ip ipsec peer
add address=33.130.136.234/32 disabled=yes exchange-mode=ike2 name=Vpn \
    profile=Vpn
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm name=Vpn pfs-group=\
    modp3072
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool2 ranges=192.168.2.10-192.168.2.20
add name=pool3 ranges=192.168.3.19-192.168.3.20
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge name=\
    defconf
add address-pool=pool2 disabled=no interface=bridge2 name=dhcp2
add address-pool=pool3 disabled=no interface=bridge3 name=dhcp3
/system logging action
add disk-file-count=5 disk-file-name=/disk1/log disk-lines-per-file=10000 \
    name=usb target=disk
add disk-file-name=auth.log disk-lines-per-file=5000 name=auth target=disk
add email-to=x name=email target=email
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge2 comment=defconf interface=ether3
add bridge=bridge2 comment=defconf interface=ether4
add bridge=bridge2 comment=defconf interface=ether5
add bridge=bridge3 comment=defconf interface=wlan1
add bridge=bridge2 comment=defconf interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge2 list=LAN
add interface=bridge3 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
add address=192.168.3.1/24 interface=bridge3 network=192.168.3.0
/ip arp
add address=192.168.88.254 interface=bridge mac-address=x
add address=192.168.3.20 interface=bridge3 mac-address=x
add address=192.168.3.19 interface=bridge3 mac-address=x
add address=192.168.2.20 interface=bridge2 mac-address=x
add address=192.168.2.19 interface=bridge2 mac-address=x
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
x

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.88.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
add address=8.8.8.8 name=rr
/ip firewall address-list
add address=192.168.3.10-192.168.3.20 list=local
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add list=ddos-attackers
add list=ddos-target
/ip firewall filter
add action=add-src-to-address-list address-list=SuspectPort_Scanner \
    address-list-timeout=14w2d chain=input comment="Port Scanner Detect" \
    fragment=no in-interface=ether1 log=yes log-prefix="port skan" protocol=\
    tcp psd=19,5m,2,3
add action=add-src-to-address-list address-list=SuspectPort_Scanner \
    address-list-timeout=14w2d chain=input comment="Port Scanner Detect" \
    disabled=yes fragment=no in-interface=ether1 log=yes log-prefix=\
    "port skan" protocol=udp psd=19,5m,2,3
add action=drop chain=input src-address-list=SuspectPort_Scanner
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=x in-interface=bridge protocol=tcp
add action=drop chain=input comment="drop wszystko"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward in-interface=bridge3 out-interface=bridge2
add action=drop chain=forward in-interface=bridge3 out-interface=bridge
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward log=yes log-prefix=\
    "ostatnia regulka z forwarda, 
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    log=yes log-prefix=dooos
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos log=yes log-prefix=ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos log=yes log-prefix=dddos
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN log-prefix="drop non global from wan" \
    src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface=bridge \
    log=yes src-address=!192.168.88.0/24
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface=bridge2 \
    log=yes src-address=!192.168.2.0/24
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" in-interface=bridge3 \
    log=yes src-address=!192.168.3.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=drop chain=prerouting dst-address-list=ddos-target log=yes \
    log-prefix=ddos src-address-list=ddos-attackers
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=eap certificate=\
    226B28D2-C2B3-4507-B3F0-7C01AD574E09_pl_ikev2.crt_0 eap-methods=\
    eap-mschapv2 generate-policy=port-strict mode-config=Vpn password=\
    haslo peer=Vpn policy-template-group=KeepSolid username=\
    x
/ip ipsec policy
add dst-address=0.0.0.0/0 group=KeepSolid proposal=Vpn src-address=0.0.0.0/0 \
    template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=42271
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system logging
set 0 action=usb
set 1 action=usb
set 2 action=usb
set 3 action=usb
add action=auth topics=account
add action=email topics=account
/system ntp client
set enabled=yes primary-ntp=153.19.250.123
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.gmail.com from=<x password=\
    "x" port=587 start-tls=yes user=\
    x
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

no one knows ?

Seems OK (although much more is present then the default-rules, You seems to have aggregated various rules you found?)
I would enhance a bit more

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=42271 ===> Add IP-range of INTERNAL-LAN (or even 1 PC from where you do management with Winbox) , in case there is a NAT/FW user-error, at least service is not accessible!
set api-ssl disabled=yes

As soon as I saw this I stopped reading…
/interface bridge settings
set use-ip-firewall=yes

Its only used by advanced users and clearly you are not and thus have been watching too many youtube videos for your own good.
But I ventured on in hope of something otherwise…

Then I saw the second red flag…a rarely set parameter used for very specific circumstances…
/ip settings
set rp-filter=strict tcp-syncookies=yes

My hopes were becoming dashed,but I forged ahead…

( to be honest I also do not understand the IP ARP usage but that is beyond my scope).

Then I barfed when I got to the bloated firewall chain…
Then I decided my initial unease was completely warranted as I see you have blocked DNS
From anywhere and thus one should not get any internet browsing…
and in the forward chain have a bunch of blocking rules
and then a block all rule at the end.

This sorta cements that you have no business monkeying with the config until you understand what each rule does.
Go back to default firewall rules, drop all the extra garbage and then we can talk… on what needs to be added.
I recommend as a starting place.

/ip firewall filter
add chain=input action=accept comment=“default configuration” connection-state=
established,related,untracked
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add chain=input action=accept comment=“default configuration” protocol=icmp
add action=accept chain=input in-interface-list=WAN dst-port={ YOUR IPSEC PORT(S) }
add action=accept chain=input comment=“default configuration” in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“default configuration”
connection-state=established,related
add chain=forward comment=“default configuration” connection-state=
established,related,untracked
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=“drop all else”

Agree the FW-rules are complex and more the “basically” needed.
Not commenting on other config-aspects like the bridges and certain settings. Not related to firewall/NAT

But bottom line with these rules it looks “secure” for sure, probably many are overkill.

As anav noted, you might need to remove the rules below if you want some DNS packets to arrive…
You Mikrotik is playing DNS for clients on the LAN ?

add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp

@anav: Few updates for your helper firmware:

• The whole business with ARP is to prevent connected clients from manually configuring random IP addresses. They will either have to get them from DHCP, or their manually configured ones must be also defined on router (in /ip arp). If they fail to do that, router won’t communicate with them.
• Strict RP filter is good, if you have config that allows it (no multi-WAN for example), because it automatically blocks packets from wrong sources, e.g. packet using source address that belongs to your LAN will be dropped if it comes from WAN.
• The use-ip-firewall can be useful, but most users should stay away from it, unless they know very well why they need it. It makes packets, that would be otherwise bridged, go through IP firewall, as if they were routed. So if you have LAN as bridge with multiple interfaces, you can work even with local traffic between these interfaces. If don’t know exactly what you’re doing, results can be quite unexpected.

And yes, some things in firewall are useless, like the whole port scanners thing and blocking DNS, when both would be blocked anyway. Similar with blocking traffic between bridges. Or unused detect-ddos chain.

What is the diff between.
a. setting a mac to LANIP as static.
b. setting a mac to LANIP ARP

Example of a. and b.? I don’t know what you mean.

Wow, you really need to take your alzheimers drugs.

Remember this text: “The whole business with ARP is to prevent connected clients from manually configuring random IP addresses. They will either have to get them from DHCP, or their manually configured ones must be also defined on router (in /ip arp). If they fail to do that, router won’t communicate with them.”

I do this with static DHCP lease. THe mac address is tied to a specific IP address. So what is different with IP arp?

Your static lease means that if client asks for IP address, it gets the one reserved for it. But it doesn’t prevent some other client from assigning this address manually. If they are going to be active both at the same time, there will be conflicts, so you’ll probably notice. But if the legitimate one is offline, the other one would be able to use that address without any problem.

To prevent this, you can set arp=reply-only for interface where they are connected, and tell dhcp server to add arp for leases using add-arp=yes. But if you want some client with static address connected to interface with arp=reply-only, you’ll have to add entry in “/ip arp” manually. But it’s not strong protection, because client can also use fake mac address, and if there’s dhcp reservation for it or manual arp entry, it will work (as long as the real client is not active at the same time).

Yes, but only if set up DNS , otherwise NO

I am new user of mikrotik(still learning), i was trying to use this config https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall
Already I turned OFF “ip firewall” in bridge, thank you.

I will try to explain what i want to do
Ether1 = WAN
Ether2 = bridge1 (my computer, only access to winbox is from bridge1)
Ether3,Ether4,Ether 5 - bridge2
Wlan,Wlan2 = bridge3
I didnt know how to isolate networks so i made bridge’s.
All I want is to close comunication bettwen networks, and to turn off access to router from WAN.
and I know that some of rules in firewall are not necessary, but its only information for me.
In the past, my neighbour was “testing” on me attacks like evil twin attack on my wifi, dns spoof, mitm etc, he knows my IP, i saw 2 weeks ago new adress mac on my wifi network (bridge3) and i dont really know how he did this. I think he log in from outside to router and this is how he got the wifi password. I got really strong password on wifi, WPA2 PSK, WPS disabled.